Development and Implementation

Implement Cyber Readiness Requirements

Implementing Cyber Readiness requirements is an extensive process with a broad impact across the enterprise. Beyond the traditional technical security controls, we take steps in our approach to ensure the management and operational controls also address securing the layers that include people, process, and technology. The goal of this approach is to ensure all links in the chain are effective or augmented by the deployment of compensating controls. The successful implementation of Cyber Readiness requirements is dependent upon top-down support and commitment from all stakeholders. The structured and consistent implementation of these requirements is most effectively achieved as part of a comprehensive enterprise security program. The foundation of the program is a governance framework implemented through policies and procedures that place into operation those identified requirements consistent with the organization’s business processes, structure, and technology portfolio.

Enterprise Security Program Support

Foundational to the security culture within an organization and its ability to protect its IT investments is the establishment of a security program. Security programs typically include many different components, including policies, standards and procedures. SecureForce has built complete security programs from the ground up as well as supported individual components within a program. Our flexibility and well-rounded experience has allowed us to adapt wherever necessary to ensure harmonization between components while maximizing the effectiveness of the program.

SecureForce has developed policies for enterprise security programs implementing Federal Information Security Management Act (FISMA) requirements for federal civilian, Department of Defense (DoD), and Intelligence Community (IC) organizations. As appropriate, the programs were modeled after NIST Federal Information Processing Standards (FIPS) and Special Publications (SPs); Department of Defense Directive 8500.1 and Instruction 8500.2; or Intelligence Community Directive 503 and the Committee on National Security Systems (CNSS) Instruction 1253. We have also developed and have conducted security awareness training to socialize the policies across organizations.

While policies establish the foundation, the development of the plans and procedures to implement the policies is where the “rubber meets the road”. From configuration management plans to incident response plans and auditing procedures to user account provisioning and de-provisioning procedures, we become deeply involved in our client’s processes. Doing so allows us to bridge policy to procedure and place into operation the complete security program.

In addition to developing the IT contingency plans to ensure continuity of operations and ensure recovery of systems, we have driven Continuity of Operations Planning (COOP) initiatives to ensure the ability of the IT portfolio to support the on-going operations and missions of the organization.

Secure Configuration Implementation Support

Establishing and deploying secure configuration baselines is critical to securing the enterprise. However, the implementation of secure configuration baselines is a lengthy and exhaustive process involving extensive lock down procedures across all IT components. This process can put a strain on developer and administrator resources while testing the extent of system knowledge, especially for obscure settings not routinely encountered. SecureForce security engineers have extensive experience with supporting secure configuration efforts for applications, databases, operating systems and network devices. We routinely work with developers, architects, and administrators to perform trade-off analysis to satisfy the requirements while minimizing the impact secure configuration settings have on system performance and functionality. Over the years we have gained significant experience implementing the following:

Technical Solution Deployment and Integration

SecureForce has evaluated and deployed dozens of security technologies that span point solutions addressing specific threats to multi-faceted integrated solutions. As a trusted advisor SecureForce has assisted our clients with the development of functional requirements and the identification of security requirements against which suitable products are tested against. Based upon these requirements, constraints, and specifications, we execute a multi-phased process to identify and pre-qualify vendor solutions for initial consideration and preliminary selection by the client. Our security engineers develop and execute test cases for the evaluation of the products and provide a comprehensive and unbiased report of each product’s ability to satisfy the security requirements. Pros and cons for each solution are also presented along with our recommendation on the solution that represents the “best fit” for the client.

To ensure effective implementation and production use of the selected solution, we work with the vendor to develop role-based product training and test cases to support User Acceptance Testing for our client. Additionally, implementation of the enterprise security policy is achieved through the development of standard operating procedures specific to the deployed technology.

For those technologies that provide data to or utilize data from other sources, we support integration of the solutions as well as the development of customized reporting to take advantage of the enhanced capabilities provided by the integration.